[4346] in WWW Security List Archive
Re: Access Logfile Question
daemon@ATHENA.MIT.EDU (Anton J Aylward)
Tue Feb 11 11:28:49 1997
Date: Tue, 11 Feb 1997 09:03:58 -0500
To: dmurray@pdssoftware.com, Anton J Aylward <anton@the-wire.com>
From: Anton J Aylward <anton@the-wire.com>
Cc: www-security@ns2.rutgers.edu, firewalls@greatcircle.com
Errors-To: owner-www-security@ns2.rutgers.edu
At 11:28 AM 10/02/97 -0500, David Murray wrote:
## Reply Start ##
>> There are many services, UUNET's FTP server being just one of them, which
>> will perform
>> reverse DNS to validate requests. If this fails you're out. Tough -
>> that's there policy.
>> The code for this is simple. Many other sites implement this policy. I
>> think its perfectly
>> reasonable and recommend it. If someone can't identify themselves they
>> MAY be a crook.
>> They may also be idiots who don't know what they're doing.
>>
>
>I can't remember where I saw it, but I recently read an
>interesting article about mis-uses of DNS. Several backbone
>organizations put such detail into their host (and gateway and
>router) names, that using nslookup, it possible to physically map
>their network. Not many companies are willing to publish such vital
>corporate information, yet this is a perfectly reasonable and
>accepted policy for DNS. Personally, I don't feel the need to
>publish host names for every PC we have connected to the Internet.
>Is this wrong? I don't know. Can I ftp to uunet? No, but there are
>other mirrors with the same information. While reverse lookup may be
>reasonable, its not common.
>
>
>David N. Murray | PDS
>Sr. Software Analyst | 670 Sentry Parkway
>610/828-4294 | Blue Bell, PA 19422
>dmurray@pdssoftware.com |
Dave,
You're making an assumption here which I'm not.
Certainly as someone who installs firewalls as part of his job,
I would never set up - or at least never advise a client to set up
DNS so that it is in the situation you describe here.
Your assumption is that the DNS you set up for internal use
listing all your PC is the same that is visible from the Internet.
You are correct in saying that this need not be so. Indeed, the
set-up of firewall based DNS should make it "not be so".
Archives of the firewall list as well as the major texts
on firewalls discuss split DNS (or split-brain DNS). This involves
two servers, one dealing with the Internet sourced queries and giving out
only basic information, name to IP, possibly MX. There is no reason why
this shouldn't also give out the reverse mapping at it is not a security risk.
The internal DNS server cannot be accessed from the outside world.
(IPwrappers & the UDP equivalent can be used if you're paranoid)
Policy dictates how much information this contains. It is usually driven by
the needs of the internal staff, and may have such things as CNAMES or TXT
fields giving the location of the machine, always useful to netadmin staff.
Note this is INTERNAL.
This is not new or revolutionary. The setup manuals for all the firewalls
I deal with either recommend it or discuss using it. Its not hard to do.
Many firewalls have the external DNS part built in, or your backbone ISP can
supply the simple single forward and backward entry.
I don't see how you can assert that reverse lookup is not common without
supplying a source or other basis for this statement. If you have such
information I'd be glad to hear it. I suspect also that firewall vendors
would be glad too, since their product would allow users to run with split
DNS and so access sites that either have no mirrors or sites of which the
users are unaware of mirrors.
## Reply End ##
--------------------------------------------------------------------------
Anton J Aylward | Security is not something that comes in
The Strahn & Strachan Group Inc | a self-contained box. It is an attribute
Information Security Consultants | of how you do business and as such
Voice: (416) 494-8661 | needs to be managed carefully.
Fax: (416) 494-8803 | - Karen Goertzel, Wang Federal Inc.
